Security & Compliance

The detailed, plain-English version of how JazzNode protects your data.

Last updated: April 14, 2026

1. Our security philosophy

JazzNode exists so that musicians, venues, and fans can trust a single source for the shows that matter. That trust is built on three principles: minimize what we hold, ride on audited infrastructure, and be honest about what we have and haven't done.

We are not a large company. We don't pretend to be one. Instead, we build on providers that have passed the audits large enterprises require, so the same guarantees apply to your data here.

2. Infrastructure & vendor compliance

JazzNode runs on a small number of carefully chosen providers. Each maintains independent third-party audits:

Stripe (payments): PCI DSS Level 1 — the highest card-industry certification. Stripe handles all card data; JazzNode never stores, handles, or transmits raw card numbers.
Supabase (database, auth, storage): SOC 2 Type 2, ISO 27001, HIPAA-ready. Data at rest is encrypted; row-level security enforces per-user access.
Vercel (hosting, edge network, builds): SOC 2 Type 2, ISO 27001. Application hosting with encrypted environment variables and OIDC-based cloud auth.
Google (OAuth sign-in): Google Identity Platform, OAuth 2.0 standard. JazzNode never sees your Google password.
Resend (transactional email): SOC 2 Type 2. Tokyo region for APAC latency. DKIM, SPF, and DMARC enforced on all JazzNode domains.
AWS S3 (file storage): SOC 2, ISO 27001, PCI DSS. Used for profile images, venue photos, and press kits.

3. Encryption

All traffic to and from JazzNode is encrypted with TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enabled across all JazzNode domains.

Data at rest is encrypted by our infrastructure providers using AES-256 (Supabase, AWS S3, Vercel).

Ticket QR codes use signed tokens that cannot be forged or replayed by third parties.

4. Authentication & access control

Users authenticate via email/password (hashed with bcrypt by Supabase Auth) or Google OAuth 2.0. JazzNode never stores plaintext passwords or Google credentials.

Internal operations are partitioned into Owner, Admin, and Editor roles. Sensitive actions — refunds, payouts, data export, account deletion — require elevated roles and are logged.

Row Level Security (RLS) is enforced at the database layer. Even if an application bug were introduced, the database would reject unauthorized reads and writes.

5. Data minimization & retention

We collect what's needed to operate the service: account basics, events you buy tickets to, messages you send through the platform. Card data, Google passwords, and device biometrics are never stored by JazzNode.

Accounts can be deleted on request, with personal data removed within 30 days, except where retention is required by law (e.g., tax records for ticket sales).

See the Privacy Policy for the full breakdown.

6. Secret & credential management

Production secrets live in Vercel's encrypted environment variable store. Preview, development, and production environments are fully isolated.

Cloud-to-cloud authentication uses OIDC tokens with short lifetimes. No long-lived credentials are committed to source control.

Internal tooling access is reviewed and revoked when team members change roles or leave.

7. Monitoring & incident response

Runtime errors and anomalies are monitored via Vercel Observability and Supabase logs. Security-relevant events are flagged for review.

If an incident affects your data, we will notify affected users within 72 hours of confirmation, in line with GDPR Article 33 expectations.

Backups and point-in-time recovery are in place for the production database.

8. Responsible disclosure

If you believe you've found a security vulnerability, please email security@jazznode.com.

We commit to:

Acknowledging your report within 72 hours.
Keeping you updated on our investigation.
Crediting you (if you wish) once the issue is resolved.
Not pursuing legal action against good-faith researchers who comply with our scope and safe-harbor terms.

In scope: jazznode.com, *.jazznode.com, JazzNode iOS & Android apps. Out of scope: denial-of-service attacks, social engineering, physical attacks, and any research that degrades service for other users.

9. Regulatory alignment

GDPR: EU users have the right to access, correct, export, and delete their data. Our processors support EU data residency and standard contractual clauses.

Taiwan PDPA (個人資料保護法): 娛興喂有限公司 operates JazzNode in Taiwan under the Personal Data Protection Act.

Taiwan Consumer Protection Act §43: Our ticketing flow follows the 票券定型化契約 tiered refund framework.

DMCA: Rights holders can submit takedown notices to our registered agent. See the DMCA policy.

10. Certifications & roadmap

We will never claim a certification we don't hold. Here's the honest current state:

Held today: Inherited PCI DSS Level 1 (Stripe), SOC 2 Type 2 (Supabase, Vercel, Resend), ISO 27001 (Supabase, Vercel, AWS).
In progress: SOC 2 readiness assessment using automated compliance tooling; annual third-party penetration test; published DPA.
Planned: SOC 2 Type 1 attestation if enterprise demand triggers it. SOC 2 Type 2 follows Type 1 after a 12-month observation period. ISO 27001 and Japan P-mark are evaluated based on market demand.

11. Contact

For security issues, email security@jazznode.com.

For general privacy, compliance, or DPA requests, . A standard DPA is available at /legal/dpa.

For commercial / enterprise security questionnaires, include the word 'security questionnaire' in your subject line and we'll prioritize a response.